Focusing on people and process can reduce cyber risk and maximise the effectiveness of your cybersecurity toolkit

Cybersecurity is a massive global industry with over three and half thousand tools on the market that are designed to counter the myriad threats organisations face. Each time a new threat or risk is identified, a new cybersecurity tool arrives to combat it.

In parallel with this market complexity there’s the significant technological change that organisations have undergone over the last few years. Those changes have resulted in new threat surfaces that need to be defended. This makes it increasingly difficult for organisations to know what cybersecurity tools they need to protect themselves from emerging threats.

Steve Hunter, the director of sales engineering at Arctic Wolf for Australia and New Zealand says that every time there is a new cyber security threat or technique created by threat actors, it invariably leads to the development of new tools that makes it much more complex for organisations to improve their security posture.

“Cyber risk hasn't reduced,” Hunter says. “As we integrate more technology into our lives and our businesses, the number of possible weak points that attackers can exploit increases. Last year, Australia saw over 94,000 cybercrime reports to the Australian Cyber Security Centre. And the average cost of cybercrime up by 14 percent with midsize businesses the hardest hit.”

The people, process and technology model has been a part of IT for several decades. Hunter’s view is that there has been greater focus on the technology element by the industry because it is easier to scale in a well-understood way for the vendors. Once a product is purchased it can be sold to and deployed across many organisations in much the same way. But the process and people elements are more complex.

“The process pillar is specific to each organisation. The way that one company or organisation implements ISO 27001 is different to the way that another company might do it. My advice is to pick something specific to your business that is useful but implementable. The Essential 8 is an easy-to-understand framework for this, or you could look to your cyber insurance renewal form to give you even simpler guidance as a place to start,” he suggests.

When it comes to people, organisations need to think about two distinct cohorts. There are employees whose job isn't day to day cybersecurity but who all play a part in keeping the business safe. Then there is the cyber talent that secure your organisation. These are in high demand and short supply. One way to overcome that shortfall is through a fusion of internal staff and external providers so that the broad external expertise is married with internal business knowledge and context.

Building the internal cybersecurity culture needs to start at the most senior levels so communication is critical. Engaging management and boards mean communicating with them in their language. The Australian Institute of Company Directors recently identified that it was a red flag for the board if reporting cyber risk was hard to digest and featured excessive jargon with a reliance on technical solutions.

“Frame the discussion as a change management conversation that is about improvement from the baseline cyber environment today to an appropriate, pragmatic future state,” says Hunter.

Cybersecurity discussions with the board should be straightforward business conversations where the cost and the value of the risk mitigated is talked about frankly. Cyber incident costs are generally well understood and only have a few components such as the direct cost of the response, the cost of the eviction and the clean-up actions, and cost of business interruption. Whilst there are secondary costs such as reputational damage, start with the easier to quantify costs as a place to start.

Armed with that data, cybersecurity leaders can talk to boards in familiar terms that enable them to make a data-led decision where they can weigh up the risk of an incident and the cost of mitigation and remediation. Effective communication of the cybersecurity risks and threats at a board level is essential and should be done in the context of the risk and financial impact a breach could have to the business.

By using available data, consulting with industry peers and understanding your security posture you can quantify cybersecurity risk in business terms. Technology can provide the foundation to address cyber risk, but focusing on people and process will help to alleviate the technical complexity inherent in the conversation and ensure organisations get the best possible value and protection from their existing cybersecurity tools.